Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users<USER>\AppData\Local
Sigma rule (View on GitHub)
1title: Suspicious Schtasks Execution AppData Folder
2id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
3status: test
4description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
5references:
6 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
7author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
8date: 2022/03/15
9modified: 2022/07/28
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.t1053.005
14 - attack.t1059.001
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 Image|endswith: '\schtasks.exe'
21 CommandLine|contains|all:
22 - '/Create'
23 - '/RU'
24 - '/TR'
25 - 'C:\Users\'
26 - '\AppData\Local\'
27 CommandLine|contains:
28 - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
29 - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
30 filter:
31 # FP from test set in SIGMA
32 ParentImage|contains|all:
33 - '\AppData\Local\Temp\'
34 - 'TeamViewer_.exe'
35 Image|endswith: '\schtasks.exe'
36 CommandLine|contains: '/TN TVInstallRestore'
37 condition: selection and not filter
38falsepositives:
39 - Unknown
40level: high
References
-
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of QBot (a.k.a. Quakbot/Qakbot) malware.
Read More
Related rules
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Scheduled task executing powershell encoded payload from registry
- Scheduled task executing powershell encoded payload from registry